For our 2022 cybersecurity research paper we interviewed over 200 cybersecurity professionals and conducted in-depth interviews. Sean Arrowsmith, Group Sales Director, summarises the valuable advice and insight for incoming CISOs that we gathered during the process.
The big concern for CISOs today is the lack of budget. It’s difficult to say how much money is enough because CISOs told us they don’t always have complete visibility of the risk, but every CISO is constantly arguing for more. There are signs of that improving because new risks – and ongoing global instability such as the war in Ukraine – have pushed cybersecurity higher up the agenda.
Governance remains an issue, however. In some places the CISO still reports to the CIO, which hinders communication with the board. And within the organisation there can be a perception that cybersecurity slows down innovation, so support from the board is vital.
CISOs have endured repeat crises over the past few years, such as the Colonial Pipeline attack, the JBS attack, SolarWinds and more. Even when it isn’t a cybersecurity incident, there is often a cybersecurity angle. The rapid shift to remote working during the Covid-19 pandemic was a huge cybersecurity challenge and the war in Ukraine has put lots of organisations on cyber-attack alert. Current threats are so numerous and so fast-moving that executives just don’t have time to plan. Add to that the rate of business change and the pace of new technology adoption, and it’s no surprise that they’re constantly in reactive mode.
The risk of being collateral damage from attacks on others is something that a lot of organisations overlooked in the past, but supply-chain and third-party threats are on the agenda now. If the supplier of one tiny ingredient for the company’s products gets attacked, then the product can’t ship until the organisation knows everything is safe. The costs of something relatively small can be enormous.
Being a CISO can be rewarding. There’s lots of visibility with senior leadership and balancing the roles of technology leader and business communicator is an engaging opportunity. But it’s demanding, too. Many things may be in a mess when a new CISO arrive in post, so they must quickly identify what needs to improve and be able to communicate that to the business.
A major challenge is learning to take holidays and shut down for a while. Many CISOs burn out after a few years. A new CISO must build resilience into their team so it can function without them, and they must learn to delegate. They should focus on what they’re good at and delegate what they aren’t. Prioritise the leadership role and delegate the day-to-day. However, that is complicated by the fact that talent is so hard to find. Diversity and inclusion are a particular struggle because there just aren’t enough good people out there.
There’s camaraderie among CISOs. It’s important to build a network, because a lot of information comes through informal channels, but it’s also useful to have people to talk to who have dealt with the same issues and can share tips for dealing with them. Sometimes it simply helps to vent!
For the full story, read the report.
For a free 30 minute consultation about your cybersecurity needs, click here.